vfs_fruit bug in ACL get/set.

Jeremy Allison jra at samba.org
Fri Mar 2 17:14:59 UTC 2018

Hi Ralph,

I just created:


In fruit_fget_nt_acl() the 3 extra ACE entries
corresponding to mode/uid/gid are always added
to the returned ACL as virtual ACE entries that
are not expected to be stored in the file ACL on disk.

In fruit_fset_nt_acl() the client-sent ACL is applied
to the file, then the mode entry (if sent) is used to
do the CHMOD - but the client-sent ACL is applied
without removing any virtual ACE entries.

If a naive client just round-trips get/set/get/set,
on every set the 'virtual' ACE entries will be stored
in the xattr.

I think the correct action on fruit_fset_nt_acl()
is to check for - then *remove* any virtual ACE
entries sent by the client before passing down
to the underlying SET_NT_ACL call.

(Discovered by code review when designing a similar
mechanism for SMB2 UNIX extensions).

I'm happy to fix as a pre-requisite patch for my
SMB2 unix extensions work, but I wanted you to
take a look so I can get your opinion.



More information about the samba-technical mailing list